Hackers offered $100,000 for browser and phone exploits

Security company 3Com TippingPoint has jacked up to $100,000 (£65,000) the prize money on offer to anyone able to hack a range of browsers and mobile devices at the forthcoming CanSecWest security conference.

By
John E Dunn
| Mar 17, 2010

Share

TwitterFacebookLinkedIn

Security company 3Com TippingPoint has jacked up to $100,000 (£65,000) the prize money on offer to anyone able to hack a range of browsers and mobile devices at the forthcoming CanSecWest security conference.

Running for the fourth year at the event, $40,000 of the Pwn2Own contest pot will be on offer to entrants that successfully exploit security vulnerabilities to compromise the top four browsers, Internet Explorer, Mozilla Firefox, Google Chrome, and Safari, equivalent to $10,000 per browser.

To win the money outright, the attacks on IE, Firefox and Chrome must work while running on a fully-patched Windows 7, while Safari will be attacked running on OS X Snow Leopard. Brownie points will be gained if the same flaw works on Vista and XP, although the assumption would be that this would be highly likely anyway.

To make the contest tougher, attackers can't use third-party plug-ins such as Adobe Flash on day one of the event. These are often a soft underbelly, so excluding them raises the bar.

Part two of the contest, account for the remaining $60,000, will ask contestants to successfully hack the Apple iPhone, Blackberry Bold 9700, the Nokia/Symbian S60, and an unspecified Motorola device running Android, with each worth $15,000.

In both sections of the contest - browser and mobile device - bonus benefits will also be offered for exploits that show an unusual level of difficulty, and winners will get to keep the device on which the hack was carried out.

Despite the eye-catching cash on offer, the contest is really a clever way of marketing TippingPoint's controversial Zero-Day Initiative (ZDI) scheme, under which researchers are paid to find exploits which are then added to the intrusion detection engines from which the company makes much of its living.

At the time of its launch in 2005, the ZDI was criticised by rival vendors and some independent voices as tantamount to encouraging people to sell exploits uncovered to the highest bidder, in this case, 3Com's TippingPoint division.TippingPoint points out that all exploits discovered through the Pwn2Own contest will be disclosed to the vendors concerned as well as being added to its own database.

Pwn2Own co-ordinator at TippingPoint, Aaron Portnoy, predicted that mobile devices would be particularly vulnerable while the easiest browser to crack would be IE on Windows 7. The browser that would resist attacks the most robustly would be Chrome thanks to its sandbox security feature which restricts what can happen inside a browser.

"The discoveries and threats that come out of this will unequivocally show just how much ‘at risk' many businesses are," said Portnoy in his contest notes.